Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Shamoon Disk-Wiping Malware Re-emerges with Two New Variants

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Photo

Broswer Hijacked (Daonol?)

Started by Slatz , Mar 24 2009 10:53 AM

  • This topic is locked This topic is locked
14 replies to this topic

#1 Slatz

Slatz

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 24 March 2009 - 10:53 AM

...I've tried to figure this one out on my own, but I'm stuck. My DIY ethic is stymied. And so you, oh powers of the Internet, to you I appeal.

What's gone on:

It came in when I was using the latest version of Firefox.
It’s disabled my anti-virus.
It’s disabled my ability to use Windows Update.
It’s disabled regedit.
I can’t run dds.scr or any variant, even after disabling all anti-virals/spywares.
It seems to redirect to a variety of websites (some are bmxok.info, kytoon.com, searchsmartword.biz, monstermarketplace.com).
It’s the same under safe mode.

Based on looking at my file modification history, I think it came in through Java, so (trying everything) I removed Java to be excessive. When trying to do this on my own, I took out a blank line in Hijack This, and later some IE toolbar buttons that this website listed as non-essential processes, though the filepaths looked right for all of them.

I’ve ran Ad-Aware, Malwarebytes’, and Spybot S & D. I’ve run cwshredder, though it always comes up as “can’t update.” I’ve run Panda and Microsoft’s anti-virus. I can’t run Housecall. I've checked the log files, emptied the trash, made burnt offerings, et cetera.

Poking around when unable to run dds, I noted this topic:
http://www.bleepingcomputer.com/forums/t/213037/help-please-unable-to-run-ddsscr-google-redirect/

which sounds pretty similar to my circumstances, and so ran RIST. The results:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Slatz at 2009-03-24 10:33:38
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (11%) free of 93 GB
Total RAM: 991 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:47 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Config2500\Utility\Config2500.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Documents and Settings\J.S. Majer\Desktop\RSIT.exe
C:\hoo\J.S. Majer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PrintWhere Router 3.0] C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcRoute.exe
O4 - HKLM\..\Run: [PrinterOn Printer Select 3.0] C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe -NOUI
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Radio365Agent] C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230351699816
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 6603 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2005-04-28 53248]
"VTTrayp"=C:\WINDOWS\system32\VTtrayp.exe [2005-04-28 143360]
"AudioDeck"=C:\Program Files\VIAudioi\SBADeck\ADeck.exe [2005-04-07 512000]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-04-21 708697]
"Realtime Monitor"=C:\PROGRA~1\CA\ETRUST~1\realmon.exe [2003-02-13 493024]
"PrintWhere Router 3.0"=C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcRoute.exe [2008-06-20 544768]
"PrinterOn Printer Select 3.0"=C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe [2008-06-20 790528]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Radio365Agent"=C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe [2005-09-22 303104]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-07-15 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\WINDOWS\sm56hlpr.exe [2005-04-28 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
Config2500.lnk - C:\Program Files\Config2500\Utility\Config2500.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\PROGRA~1\ExamSoft\SofTest\SoftLnch.exe"="C:\PROGRA~1\ExamSoft\SofTest\SoftLnch.exe:*:Enabled:SofLaunch"
"C:\PROGRA~1\ExamSoft\SofTest\softest.exe"="C:\PROGRA~1\ExamSoft\SofTest\SofTest.exe:*:Enabled:SofTest"
"C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPost.exe"="C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPost.exe:*:Enabled:PrintWhere 3.0 Server Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe"="C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe:*:Enabled:PrintWhere 3.0 Printer Select"
"C:\Program Files\Atlantis\Atlantis.exe"="C:\Program Files\Atlantis\Atlantis.exe:*:Enabled:Atlantis Word Processor"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"
"C:\Program Files\CA\SharedComponents\ScanEngine\Inodist.exe"="C:\Program Files\CA\SharedComponents\ScanEngine\Inodist.exe:*:Enabled:Inodist"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-24 10:33:38 ----D---- C:\rsit
2009-03-24 08:53:54 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-03-24 08:44:04 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 08:43:52 ----D---- C:\Program Files\Lavasoft
2009-03-24 08:37:49 ----D---- C:\hoo
2009-03-23 23:56:14 ----D---- C:\h
2009-03-23 22:05:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-23 21:53:10 ----D---- C:\WINDOWS\CSC
2009-03-23 14:24:19 ----D---- C:\Program Files\Panda Security
2009-03-23 14:14:00 ----HDC---- C:\WINDOWS\ie8
2009-03-23 13:38:25 ----D---- C:\WINDOWS\pss
2009-03-23 08:08:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-23 08:08:16 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 07:59:39 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-23 07:08:08 ----D---- C:\Documents and Settings\J.S. Majer\Application Data\Malwarebytes
2009-03-23 07:08:03 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-23 02:23:48 ----D---- C:\Program Files\Windows Live Safety Center
2009-03-23 02:06:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\unacev2.dll
2009-03-22 21:38:43 ----D---- C:\WINDOWS\system32\HouseCall 6.6
2009-03-16 21:08:16 ----D---- C:\Program Files\iPod
2009-03-16 21:08:11 ----D---- C:\Program Files\iTunes
2009-03-16 21:08:11 ----D---- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 21:05:43 ----D---- C:\Program Files\QuickTime
2009-03-08 14:22:30 ----N---- C:\WINDOWS\system32\msrating.dll.mui
2009-03-08 14:22:18 ----N---- C:\WINDOWS\system32\mshta.exe.mui
2009-03-08 14:21:06 ----N---- C:\WINDOWS\system32\ie4uinit.exe.mui
2009-03-08 14:20:54 ----N---- C:\WINDOWS\system32\iedkcs32.dll.mui
2009-03-07 23:30:50 ----D---- C:\Program Files\7-Zip
2009-03-03 18:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB943729$
2009-03-03 18:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB902344$
2009-03-03 11:37:05 ----D---- C:\Program Files\Cisco Systems
2009-03-02 22:16:02 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-02 22:15:04 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$

======List of files/folders modified in the last 1 months======

2009-03-24 10:33:31 ----D---- C:\WINDOWS\Prefetch
2009-03-24 10:16:13 ----D---- C:\Program Files\Mozilla Firefox
2009-03-24 10:10:30 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-24 09:43:50 ----SD---- C:\Documents and Settings\J.S. Majer\Application Data\Microsoft
2009-03-24 09:19:50 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-24 08:53:54 ----D---- C:\WINDOWS\system32
2009-03-24 08:52:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-24 08:49:44 ----D---- C:\WINDOWS\Temp
2009-03-24 08:48:11 ----D---- C:\Documents and Settings\J.S. Majer\Application Data\WTablet
2009-03-24 08:46:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-24 08:46:31 ----D---- C:\WINDOWS\system32\drivers
2009-03-24 08:46:27 ----SD---- C:\WINDOWS\Tasks
2009-03-24 08:46:15 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-24 08:44:04 ----SHD---- C:\WINDOWS\Installer
2009-03-24 08:43:52 ----RD---- C:\Program Files
2009-03-24 07:59:35 ----D---- C:\WINDOWS
2009-03-24 00:30:00 ----D---- C:\Program Files\Common Files
2009-03-24 00:20:15 ----HD---- C:\WINDOWS\inf
2009-03-23 23:57:39 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-23 22:53:59 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-23 22:40:59 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-23 14:18:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-23 14:18:55 ----D---- C:\WINDOWS\system32\en-US
2009-03-23 14:18:55 ----D---- C:\WINDOWS\Media
2009-03-23 14:18:55 ----D---- C:\WINDOWS\Help
2009-03-23 14:18:55 ----D---- C:\Program Files\Internet Explorer
2009-03-23 14:01:44 ----RASH---- C:\boot.ini
2009-03-23 14:01:44 ----A---- C:\WINDOWS\win.ini
2009-03-23 14:01:44 ----A---- C:\WINDOWS\system.ini
2009-03-23 08:04:53 ----D---- C:\Program Files\Trend Micro
2009-03-23 07:59:31 ----D---- C:\WINDOWS\WinSxS
2009-03-23 01:07:46 ----A---- C:\WINDOWS\imsins.BAK
2009-03-22 08:17:17 ----A---- C:\WINDOWS\hpbafd.ini
2009-03-16 21:08:15 ----D---- C:\Program Files\Common Files\Apple
2009-03-08 14:22:46 ----A---- C:\WINDOWS\system32\ieframe.dll.mui
2009-03-08 14:21:06 ----A---- C:\WINDOWS\system32\advpack.dll.mui
2009-03-08 14:09:26 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-03-08 04:41:16 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-03-08 04:39:48 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-03-08 04:34:58 ----A---- C:\WINDOWS\system32\wininet.dll
2009-03-08 04:34:56 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-03-08 04:34:48 ----A---- C:\WINDOWS\system32\WinFXDocObj.exe
2009-03-08 04:34:48 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-03-08 04:34:30 ----A---- C:\WINDOWS\system32\licmgr10.dll
2009-03-08 04:34:28 ----A---- C:\WINDOWS\system32\url.dll
2009-03-08 04:34:18 ----A---- C:\WINDOWS\system32\occache.dll
2009-03-08 04:34:18 ----A---- C:\WINDOWS\system32\msrating.dll
2009-03-08 04:33:40 ----A---- C:\WINDOWS\system32\corpol.dll
2009-03-08 04:33:26 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-03-08 04:33:16 ----A---- C:\WINDOWS\system32\jscript.dll
2009-03-08 04:33:08 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-03-08 04:33:06 ----A---- C:\WINDOWS\system32\vbscript.dll
2009-03-08 04:33:02 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-03-08 04:32:56 ----A---- C:\WINDOWS\system32\admparse.dll
2009-03-08 04:32:54 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-03-08 04:32:52 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-03-08 04:32:52 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-03-08 04:32:50 ----A---- C:\WINDOWS\system32\iesetup.dll
2009-03-08 04:32:50 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-03-08 04:32:48 ----A---- C:\WINDOWS\system32\advpack.dll
2009-03-08 04:32:46 ----A---- C:\WINDOWS\system32\inseng.dll
2009-03-08 04:32:26 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-03-08 04:32:22 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-03-08 04:32:04 ----A---- C:\WINDOWS\system32\mstime.dll
2009-03-08 04:31:56 ----A---- C:\WINDOWS\system32\iepeers.dll
2009-03-08 04:31:54 ----A---- C:\WINDOWS\system32\msfeedssync.exe
2009-03-08 04:31:52 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-03-08 04:31:52 ----A---- C:\WINDOWS\system32\icardie.dll
2009-03-08 04:31:44 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-03-08 04:31:38 ----A---- C:\WINDOWS\system32\imgutil.dll
2009-03-08 04:31:38 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-03-08 04:31:36 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-03-08 04:31:26 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-03-08 04:31:18 ----A---- C:\WINDOWS\system32\mshtmler.dll
2009-03-08 04:31:02 ----A---- C:\WINDOWS\system32\mshta.exe
2009-03-08 04:22:46 ----A---- C:\WINDOWS\system32\ieui.dll
2009-03-08 04:22:38 ----A---- C:\WINDOWS\system32\msls31.dll
2009-03-08 04:11:12 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-03-08 01:08:18 ----D---- C:\WINDOWS\AppPatch
2009-03-06 06:17:48 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-06 05:16:49 ----D---- C:\Program Files\Windows Desktop Search
2009-03-05 13:24:13 ----D---- C:\Program Files\Quicken
2009-03-05 13:24:08 ----AC---- C:\WINDOWS\QUICKEN.INI
2009-03-05 13:23:08 ----D---- C:\Program Files\Common Files\Intuit
2009-03-05 13:22:50 ----RSD---- C:\WINDOWS\Fonts
2009-03-05 13:09:14 ----D---- C:\WINDOWS\system32\wbem
2009-03-02 22:15:53 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-02 22:14:33 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 ACEDRV06;ACEDRV06; \??\C:\WINDOWS\system32\drivers\ACEDRV06.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.6.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-07-12 17119]
R2 INO_FLTR;INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 43520]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RT2500;RT2500 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2006-06-02 236800]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-04-21 189664]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys [2005-04-28 172544]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2007-06-27 207488]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2008-08-18 13352]
R3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 43520]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wacmoumonitor;Wacom Mode Helper; C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 InoRPC;eTrust Antivirus RPC Server; C:\Program Files\CA\eTrust Antivirus\InoRpc.exe [2003-02-13 144864]
R2 InoRT;eTrust Antivirus Realtime Server; C:\Program Files\CA\eTrust Antivirus\InoRT.exe [2003-02-13 230880]
R2 InoTask;eTrust Antivirus Job Server; C:\Program Files\CA\eTrust Antivirus\InoTask.exe [2003-02-13 234976]
R2 LogWatch;Event Log Watch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 TabletServicePen;TabletServicePen; C:\WINDOWS\system32\Pen_Tablet.exe [2008-12-11 2749736]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 CA_LIC_CLNT;CA License Client; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824]
S3 CA_LIC_SRVR;CA License Server; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-08-01 65536]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Thank you for looking at this.

BC AdBot (Login to Remove)

 

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 31 March 2009 - 06:38 PM

Hello Slatz,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 31 March 2009 - 07:27 PM

tea,

Don't fret the delay. I understand things are a bit busy these days.

I have left the computer disconnected from the internet since the making the first log, and, for the most part, turned off and in the corner.

I can also say that this time now, RIST crashed on the first run, and I had to restart the computer. But the log of the second time is as follows.

Thanks again for taking a look.

-Slatz

---
Logfile of random's system information tool 1.06 (written by random/random)
Run by J.S. Majer at 2009-03-31 19:13:40
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (11%) free of 93 GB
Total RAM: 991 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:03 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Config2500\Utility\Config2500.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\J.S. Majer\Desktop\RSIT.exe
C:\hoo\J.S. Majer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PrintWhere Router 3.0] C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcRoute.exe
O4 - HKLM\..\Run: [PrinterOn Printer Select 3.0] C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe -NOUI
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Radio365Agent] C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230351699816
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 6885 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2005-04-28 53248]
"VTTrayp"=C:\WINDOWS\system32\VTtrayp.exe [2005-04-28 143360]
"AudioDeck"=C:\Program Files\VIAudioi\SBADeck\ADeck.exe [2005-04-07 512000]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-04-21 708697]
"Realtime Monitor"=C:\PROGRA~1\CA\ETRUST~1\realmon.exe [2003-02-13 493024]
"PrintWhere Router 3.0"=C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcRoute.exe [2008-06-20 544768]
"PrinterOn Printer Select 3.0"=C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe [2008-06-20 790528]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Radio365Agent"=C:\PROGRA~1\Live365\Radio365\Radio365TrayAgent.exe [2005-09-22 303104]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-07-15 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\WINDOWS\sm56hlpr.exe [2005-04-28 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
Config2500.lnk - C:\Program Files\Config2500\Utility\Config2500.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\PROGRA~1\ExamSoft\SofTest\SoftLnch.exe"="C:\PROGRA~1\ExamSoft\SofTest\SoftLnch.exe:*:Enabled:SofLaunch"
"C:\PROGRA~1\ExamSoft\SofTest\softest.exe"="C:\PROGRA~1\ExamSoft\SofTest\SofTest.exe:*:Enabled:SofTest"
"C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPost.exe"="C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPost.exe:*:Enabled:PrintWhere 3.0 Server Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe"="C:\Program Files\PrinterOn Corporation\PrintWhere 3.0\pwcPrinterSelect.exe:*:Enabled:PrintWhere 3.0 Printer Select"
"C:\Program Files\Atlantis\Atlantis.exe"="C:\Program Files\Atlantis\Atlantis.exe:*:Enabled:Atlantis Word Processor"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"
"C:\Program Files\CA\SharedComponents\ScanEngine\Inodist.exe"="C:\Program Files\CA\SharedComponents\ScanEngine\Inodist.exe:*:Enabled:Inodist"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-24 10:33:38 ----D---- C:\rsit
2009-03-24 08:53:54 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-03-24 08:44:04 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 08:43:52 ----D---- C:\Program Files\Lavasoft
2009-03-24 08:37:49 ----D---- C:\hoo
2009-03-23 23:56:14 ----D---- C:\h
2009-03-23 22:05:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-23 21:53:10 ----D---- C:\WINDOWS\CSC
2009-03-23 14:24:19 ----D---- C:\Program Files\Panda Security
2009-03-23 14:14:00 ----HDC---- C:\WINDOWS\ie8
2009-03-23 13:38:25 ----D---- C:\WINDOWS\pss
2009-03-23 08:08:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-23 08:08:16 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 07:59:39 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-23 07:08:08 ----D---- C:\Documents and Settings\J.S. Majer\Application Data\Malwarebytes
2009-03-23 07:08:03 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-23 02:23:48 ----D---- C:\Program Files\Windows Live Safety Center
2009-03-23 02:06:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2009-03-23 02:06:27 ----A---- C:\WINDOWS\system32\unacev2.dll
2009-03-22 21:38:43 ----D---- C:\WINDOWS\system32\HouseCall 6.6
2009-03-16 21:08:16 ----D---- C:\Program Files\iPod
2009-03-16 21:08:11 ----D---- C:\Program Files\iTunes
2009-03-16 21:08:11 ----D---- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 21:05:43 ----D---- C:\Program Files\QuickTime
2009-03-08 14:22:30 ----N---- C:\WINDOWS\system32\msrating.dll.mui
2009-03-08 14:22:18 ----N---- C:\WINDOWS\system32\mshta.exe.mui
2009-03-08 14:21:06 ----N---- C:\WINDOWS\system32\ie4uinit.exe.mui
2009-03-08 14:20:54 ----N---- C:\WINDOWS\system32\iedkcs32.dll.mui
2009-03-07 23:30:50 ----D---- C:\Program Files\7-Zip
2009-03-03 18:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB943729$
2009-03-03 18:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB902344$
2009-03-03 11:37:05 ----D---- C:\Program Files\Cisco Systems
2009-03-02 22:16:02 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-02 22:15:04 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$

======List of files/folders modified in the last 1 months======

2009-03-31 19:13:01 ----D---- C:\WINDOWS\Temp
2009-03-31 19:12:44 ----D---- C:\Documents and Settings\J.S. Majer\Application Data\WTablet
2009-03-31 19:04:22 ----D---- C:\WINDOWS\Prefetch
2009-03-31 19:04:19 ----D---- C:\WINDOWS\system32
2009-03-29 22:08:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-28 23:45:15 ----A---- C:\WINDOWS\hpbafd.ini
2009-03-28 23:25:27 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-24 10:16:13 ----D---- C:\Program Files\Mozilla Firefox
2009-03-24 10:10:30 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-24 09:43:50 ----SD---- C:\Documents and Settings\J.S. Majer\Application Data\Microsoft
2009-03-24 09:19:50 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-24 08:46:31 ----D---- C:\WINDOWS\system32\drivers
2009-03-24 08:46:27 ----SD---- C:\WINDOWS\Tasks
2009-03-24 08:46:15 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-24 08:44:04 ----SHD---- C:\WINDOWS\Installer
2009-03-24 08:43:52 ----RD---- C:\Program Files
2009-03-24 07:59:35 ----D---- C:\WINDOWS
2009-03-24 00:30:00 ----D---- C:\Program Files\Common Files
2009-03-24 00:20:15 ----HD---- C:\WINDOWS\inf
2009-03-23 23:57:39 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-23 22:53:59 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-23 22:40:59 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-23 14:18:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-23 14:18:55 ----D---- C:\WINDOWS\system32\en-US
2009-03-23 14:18:55 ----D---- C:\WINDOWS\Media
2009-03-23 14:18:55 ----D---- C:\WINDOWS\Help
2009-03-23 14:18:55 ----D---- C:\Program Files\Internet Explorer
2009-03-23 14:01:44 ----RASH---- C:\boot.ini
2009-03-23 14:01:44 ----A---- C:\WINDOWS\win.ini
2009-03-23 14:01:44 ----A---- C:\WINDOWS\system.ini
2009-03-23 08:04:53 ----D---- C:\Program Files\Trend Micro
2009-03-23 07:59:31 ----D---- C:\WINDOWS\WinSxS
2009-03-23 01:07:46 ----A---- C:\WINDOWS\imsins.BAK
2009-03-16 21:08:15 ----D---- C:\Program Files\Common Files\Apple
2009-03-08 14:22:46 ----A---- C:\WINDOWS\system32\ieframe.dll.mui
2009-03-08 14:21:06 ----A---- C:\WINDOWS\system32\advpack.dll.mui
2009-03-08 14:09:26 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-03-08 04:41:16 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-03-08 04:39:48 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-03-08 04:34:58 ----A---- C:\WINDOWS\system32\wininet.dll
2009-03-08 04:34:56 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-03-08 04:34:48 ----A---- C:\WINDOWS\system32\WinFXDocObj.exe
2009-03-08 04:34:48 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-03-08 04:34:30 ----A---- C:\WINDOWS\system32\licmgr10.dll
2009-03-08 04:34:28 ----A---- C:\WINDOWS\system32\url.dll
2009-03-08 04:34:18 ----A---- C:\WINDOWS\system32\occache.dll
2009-03-08 04:34:18 ----A---- C:\WINDOWS\system32\msrating.dll
2009-03-08 04:33:40 ----A---- C:\WINDOWS\system32\corpol.dll
2009-03-08 04:33:26 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-03-08 04:33:16 ----A---- C:\WINDOWS\system32\jscript.dll
2009-03-08 04:33:08 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-03-08 04:33:06 ----A---- C:\WINDOWS\system32\vbscript.dll
2009-03-08 04:33:02 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-03-08 04:32:56 ----A---- C:\WINDOWS\system32\admparse.dll
2009-03-08 04:32:54 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-03-08 04:32:52 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-03-08 04:32:52 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-03-08 04:32:50 ----A---- C:\WINDOWS\system32\iesetup.dll
2009-03-08 04:32:50 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-03-08 04:32:48 ----A---- C:\WINDOWS\system32\advpack.dll
2009-03-08 04:32:46 ----A---- C:\WINDOWS\system32\inseng.dll
2009-03-08 04:32:26 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-03-08 04:32:22 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-03-08 04:32:04 ----A---- C:\WINDOWS\system32\mstime.dll
2009-03-08 04:31:56 ----A---- C:\WINDOWS\system32\iepeers.dll
2009-03-08 04:31:54 ----A---- C:\WINDOWS\system32\msfeedssync.exe
2009-03-08 04:31:52 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-03-08 04:31:52 ----A---- C:\WINDOWS\system32\icardie.dll
2009-03-08 04:31:44 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-03-08 04:31:38 ----A---- C:\WINDOWS\system32\imgutil.dll
2009-03-08 04:31:38 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-03-08 04:31:36 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-03-08 04:31:26 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-03-08 04:31:18 ----A---- C:\WINDOWS\system32\mshtmler.dll
2009-03-08 04:31:02 ----A---- C:\WINDOWS\system32\mshta.exe
2009-03-08 04:22:46 ----A---- C:\WINDOWS\system32\ieui.dll
2009-03-08 04:22:38 ----A---- C:\WINDOWS\system32\msls31.dll
2009-03-08 04:11:12 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-03-08 01:08:18 ----D---- C:\WINDOWS\AppPatch
2009-03-06 06:17:48 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-06 05:16:49 ----D---- C:\Program Files\Windows Desktop Search
2009-03-05 13:24:13 ----D---- C:\Program Files\Quicken
2009-03-05 13:24:08 ----AC---- C:\WINDOWS\QUICKEN.INI
2009-03-05 13:23:08 ----D---- C:\Program Files\Common Files\Intuit
2009-03-05 13:22:50 ----RSD---- C:\WINDOWS\Fonts
2009-03-05 13:09:14 ----D---- C:\WINDOWS\system32\wbem
2009-03-02 22:15:53 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-02 22:14:33 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 ACEDRV06;ACEDRV06; \??\C:\WINDOWS\system32\drivers\ACEDRV06.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.6.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-07-12 17119]
R2 INO_FLTR;INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 43520]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RT2500;RT2500 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2006-06-02 236800]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-04-21 189664]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys [2005-04-28 172544]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2007-06-27 207488]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2008-08-18 13352]
R3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 43520]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wacmoumonitor;Wacom Mode Helper; C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 InoRPC;eTrust Antivirus RPC Server; C:\Program Files\CA\eTrust Antivirus\InoRpc.exe [2003-02-13 144864]
R2 InoRT;eTrust Antivirus Realtime Server; C:\Program Files\CA\eTrust Antivirus\InoRT.exe [2003-02-13 230880]
R2 InoTask;eTrust Antivirus Job Server; C:\Program Files\CA\eTrust Antivirus\InoTask.exe [2003-02-13 234976]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 LogWatch;Event Log Watch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 TabletServicePen;TabletServicePen; C:\WINDOWS\system32\Pen_Tablet.exe [2008-12-11 2749736]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 CA_LIC_CLNT;CA License Client; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824]
S3 CA_LIC_SRVR;CA License Server; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-08-01 65536]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 31 March 2009 - 08:09 PM

Hello,

Thanks for understanding, and you're welcome. :thumbup2:

Do you know what these folders are?
2009-03-24 08:37:49 ----D---- C:\hoo
2009-03-23 23:56:14 ----D---- C:\h

Highlight and copy the contents inside the code box below: 

cd desktop
reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look2.txt
start notepad look2.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste
The command window will close and a log will open on your Desktop.

Paste the look.txt back here.[/quote]

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 01 April 2009 - 01:00 PM

tea,

I created those folders to house HijackThis.

I cannot run cmd. When I run it, everything but my desktop background disappears, then reappears a moment later, without giving me a command line to work from.

Thanks,

Slatz

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 01 April 2009 - 01:04 PM

Hi,

Okay then, we'll do something else. :)

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :step4:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If it has trouble running, rename ComboFix.exe to slatz.exe and try it that way. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 01 April 2009 - 01:29 PM

tea,

I slightly didn't follow directions, and you can tell me how much I've screwed it up vs. it's being tenacious.

I downloaded combofix from another computer, and moved it over on a usb drive. I copied it to the infected desktop, and then copied on the desktop, changing the name of the copied program to slatz.

I switched off all of my protections and ran combofix. The combofix box pops up, runs through, then nothing happens. I ran slatz, and the result was the same. I then deleted both from my desktop, then changed the name of combofix while on the usb drive, then copied the slatz file over. This time, it seems to have hung with the box open. I stopped the process from the task manager and ran it again, and the result was the same as the first time.

Will it matter if I download it directly onto the infected computer? I know a lot of my access to security sites is blocked (including this one) from it, so actual downloading may prove difficult.

-Slatz

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 01 April 2009 - 01:36 PM

Hi,

What do you mean it "runs through"? Look for C:\Qoobox and tell me if there's anything in the quarantine. I'm betting it ran and produced a log, but you deleted it before you looked for it. You can certainly download it to the infected machine, or try to. :thumbup2: Especially if it did run and was able to delete some of the bad stuff already. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 01 April 2009 - 01:50 PM

tea,

By "run through," I mean that, when I click on combofix or a variant, a small, black and white box with the name "combofix" on it pops up just beside the program icon on my desktop. It has a progress bar, which fills with some speed. After that, nothing more seems to occur.

I can also say that I do not see a C:\qoobox folder on the drive, nor does one turn up on a search.

The next stage of the attempt may have to wait until later in the day, but thanks again for your help so far.

-Slatz

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 01 April 2009 - 01:52 PM

Not a problem, and you're welcome. :thumbup2:

Post when you're ready.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 04 April 2009 - 11:18 AM

Okay, either downloading it straight onto the computer or (as I remembered it was there) turning off Windows Firewall seems to have done the trick, and it progressed further.

I did have to download Windows Recovery Console (a bit harrowing).

Ran both. Will attach the logs this time so as to better sort.

Thanks yet one more time.

-Slatz

Attached Files


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 04 April 2009 - 06:13 PM

Hello,

How is it running now please? :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Slatz

Slatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:09:07 AM

Posted 10 April 2009 - 01:55 PM

Seems to be running alright now, though I'm still a little frightened to use it. Is there any way to tell what the infection was?

Thanks again for the help.

-S.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 10 April 2009 - 02:20 PM

Hi there,

Why are you scared to use it? Are you still having problems? Or did you not make the burnt offerings you said you did in your first post? :thumbup2: As for the infection, you had it right in the thread title. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:07 AM

Posted 20 April 2009 - 07:43 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by teacup61, 20 April 2009 - 09:40 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!
Posted Image


Error reading poptart in Drive A: Delete kids y/n?
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·